要描述:( b$ J K8 ^1 \ F
" B0 J( W/ X; v0 ?% C" h% q6 | Q$ d
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试) o, B. q# ~! ? I' S9 {: U) I' K
详细说明:
$ ?* r2 U2 x- ^4 `$ x! T4 D, x4 T8 @Islogin //判断登录的方法0 `6 e& ` P, z' u! ^. h1 H5 U
9 @# I) d5 O6 @# h+ ^, Msub islogin()5 |% I3 {' I. b, [
0 m b# l: _0 r2 b0 m2 R3 t
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then ; D( {: g! t1 c& t
6 A8 V. ^% I9 _" m% [, j. Ydim t0,t1,t2
) O, R' i) V: W4 @1 k
( h! E' i5 |- _- t! mt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 2 r+ D# N2 `0 B( x
. d# l6 ^8 J" z1 {+ x h7 ^% o0 At1=sdcms.loadcookie("islogin")3 [ ]; {3 |/ |1 T
+ V d p) Q9 A$ x. a- C! {t2=sdcms.loadcookie("loginkey")1 _7 d+ l, T g' E" `( |
$ N( _5 C0 Y! w8 ? cif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行) A5 E& L$ g) M: D7 r& @, B1 G
. q( }" d: i% {+ J+ i" X% S0 h//
[4 |' n& X- d3 t; M1 C0 q
. ?6 b% j6 t0 m8 Wsdcms.go "login.asp?act=out"
7 z; v; j& R" e" p R
# l2 N5 Q& j8 ]1 u- j! N# J6 M! rexit sub3 S$ P. c# O+ R H7 a/ m# Y
# O' b7 S' y) C+ nelse; p: E* O) ?0 C* }$ e
' z9 c' s% F9 r
dim data# K) T1 I; J3 c
! [* S0 ^6 L7 g, a; @8 [4 s6 idata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
7 T0 `1 }' c, [3 U6 [& _
b g' ?# y- ~4 Q9 z0 \if ubound(data)<0 then
* e4 S r7 e/ z* ~6 J; e7 }
1 A" h5 @8 s+ p: ~* N4 \sdcms.go "login.asp?act=out"
3 _, @# W- W% n: \! }- P+ x3 s
. x$ p- e& y- r x! mexit sub) n' H5 a' f, L0 S
$ z8 l1 u1 w' ?" n+ W6 r
else9 Y; o$ J. M" v p6 g) n
* @: @0 Y0 P% {6 n' L
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then& q9 a5 p. Q; Z
8 N4 N1 V. Y- n& ?3 @# f, Q: ] f
sdcms.go "login.asp?act=out"
a7 V" H; q6 _# t ~* {: ?* s 5 z4 @1 ]$ Z3 Q0 ~1 \5 J- M' f
exit sub
, ?" B! ?: v7 Q, t4 k # s* H$ y3 S4 \
else3 g' ]( u+ K. s( T0 h( r* ]
& C2 }) Z* R# Q$ T- U0 [6 g$ R3 |adminid=data(0,0)
! r, I, I l9 q8 E# E1 e, `0 {
1 H3 W, |5 D w* F+ Vadminname=data(1,0)/ R; F g7 _0 s6 b$ V: i/ O
4 D* Y- y" C6 u! e9 R( Yadmin_page_lever=data(5,0)8 f- O, R N+ y z8 ~, d2 r
9 X7 I6 C7 l' b/ d
admin_cate_array=data(6,0). B* C1 |. ~/ t9 N( v
3 k! z8 b3 G9 T3 n( ?( \admin_cate_lever=data(7,0)
, u- H3 z" `/ ^4 X4 ?; ^
. i! O- P4 V' e7 ?. mif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
6 B9 @1 F* y- m8 t1 A" V 4 c9 Q/ A! v% M. P
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
0 f% G; z. g) b9 q: ~ ; f7 M# I1 e" ^' u* e$ u" N
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0% C+ B+ A- ~+ R5 V
; ~7 x! ]0 u$ ^( Xif clng(admingroupid)<>0 then
6 N" @9 P! n* @$ D0 j1 {. P " J O* ~1 K( G
admin_lever_where=" and menuid in("&admin_page_lever&")"7 A; |" p, i- F5 K3 e5 P* {
) i' E- q2 a! S: W! }9 H2 t
end if
8 k9 q7 a9 R* |5 F $ V" ]- W, w6 R" W! N/ R2 H& N
sdcms.setsession "adminid",adminid
/ l3 U+ K% y& H 7 L% b0 R& F- _3 t4 R+ |& y
sdcms.setsession "adminname",adminname
" N/ P, O9 r. c U% V 4 f6 n* q% {3 V5 `2 A1 f$ h6 `; w
sdcms.setsession "admingroupid",data(4,0)
: s# R$ {8 z' V. j
5 e! ?" ]9 `) ?" y; V7 aend if
% g3 o! U( r. e) P! U8 T, Z$ d ' e! x" p8 X: e3 Q
end if; S7 _2 n0 N; D. h1 K( ^8 a
) ]' s2 R/ {! l5 send if; q2 L6 y3 B: h8 Z3 t# e
6 F. k# r- z4 ?9 W0 }
else
4 t5 I0 T1 k# D0 z; n
2 ?$ h" @" B0 y- b9 x* S1 E9 B) Bdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")1 e7 W; l; t" U
; E! }6 x$ R3 r+ C
if ubound(data)<0 then: ~$ G4 e# U1 O# A5 K
- D' Q( y) W- l p' `( Z, V
sdcms.go "login.asp?act=out"
7 ?! V/ D1 u6 B, `( }2 F& h
6 q7 z6 y/ _) b; }( a; Z5 Hexit sub# J% h; b; @. H' L, [8 i1 _
) ^, P# a! p8 @2 a7 q9 M" T
else& J- d2 B6 G. n. j
& Y* @" V6 ?4 Y" f
admin_page_lever=data(0,0)- A, S" O; m0 t3 O
. S2 h$ g9 y, {) s; ^
admin_cate_array=data(1,0)
$ C+ D4 ?1 y; v# m9 W" Z : h8 P, O5 {$ p) c: N, O/ x
admin_cate_lever=data(2,0)
! S5 A7 \5 d7 z7 W
' E. V- K9 C, i! a. [if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* q/ u, g7 }- ?0 M5 G8 Y& P
6 N& `4 J2 S% \: aif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
3 r. ` P* ? [+ V) N7 X1 Z! [ ) T+ N9 T$ L) {
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* k2 ^3 ~2 l% o1 k `- o 0 ?( Y2 T1 I/ ^
if clng(admingroupid)<>0 then
$ q: Q0 I: u+ L1 b : { M7 g3 c# L- @
admin_lever_where=" and menuid in("&admin_page_lever&")"8 L4 D% G9 ~5 g1 c* {( F6 k j# o: O
- j9 L" h9 p/ I: F& W
end if3 v0 F8 v. X8 T5 f E
% z+ J j: \) `- W. v; }
end if
& P% w6 V, E( ?5 O; o& w( m
& K+ |8 c, l% L$ G6 Vend if
3 R" n' x! s+ N( f* A8 J, O / I9 q! z7 h8 Z8 }6 p6 ?
end sub% H0 m, {+ z' J3 Y+ j& w4 }
漏洞证明:
) J6 t& m' v: [看看操作COOKIE的函数) j. _6 U- g# j* i
, R( x. w9 @' {0 j; Ipublic function loadcookie(t0)
+ b7 _( o1 P% f
3 H. S: P: I2 }6 L' k9 W/ Sloadcookie=request.cookies(prefix&t0)# L% m& f: B' I
' U) }8 o+ \9 F5 r# t+ ^6 r% I0 qend function
7 _% F- G% E4 {/ s9 _/ ~ 7 H; }: m( y( J4 J6 e9 b
public sub setcookie(byval t0,byval t1)+ g; ?5 f/ J" a; }0 Y
' {. P( u$ ^3 c$ Z
response.cookies(prefix&t0)=t1
/ k: ~0 W" S7 ^- S 7 l! M/ N1 N3 Q' W
end sub
* r4 g/ ~# Y, |) J$ Z $ d( K# H7 \' H& ^+ N
prefix
( z; _6 O% t* p( w9 u
* i' s; q* i# ], r+ o( A0 _'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
+ D! t3 p. S" n K 5 w7 V0 {* G& p R
dim prefix5 d" D$ e8 W, }
1 M# T4 \" h* v w) A* g
prefix="1Jb8Ob"
3 H! h5 ^. c% o+ z+ ]/ _ * I; p. Y8 F$ S3 Y) l. w' H
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
6 C3 ~" j- z& @5 Z% W
i) Q8 R6 O' @& Xsub out) A; z/ _% @' Q+ r9 J
) i2 s/ C1 j6 ?
sdcms.setsession "adminid",""
& U# p# S4 B/ ~( }
* f+ Z4 Q: t* Y7 Rsdcms.setsession "adminname",""+ w# P5 t$ i$ e$ Z9 ]) t
6 u l4 x5 o( k& Tsdcms.setsession "admingroupid",""3 G" `" @" u& v' b( c* S+ M
/ i A/ ^6 {" [% \' msdcms.setcookie "adminid",""0 V8 x! ~# M& I2 F* A
0 r: q; v6 t+ }! M
sdcms.setcookie "loginkey",""
) U4 J3 B' o0 P/ N+ t 1 ~5 Y, @$ i2 F) o% Q
sdcms.setcookie "islogin",""' J7 m. | O1 F& R& y+ }
' j, e: H3 S+ V* _6 U! a. Gsdcms.go "login.asp"* l+ M+ K; ~) c6 Q4 @" d$ x+ z
( ~' ]4 P' D' s3 J. e
end sub1 o" O0 O, @: @! e" V4 l; L
$ b9 K% G1 P' ?) W- J# f' v & v/ ?* ~: e+ }/ ~
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
5 B: n/ J7 g" _( x. N& u0 q修复方案:5 c- X/ O6 r( A7 \
修改函数!4 P& c' o' m) V
|
发表于 2013-7-26 12:42:43
收藏
支持
反对